---
layout: docs
page_title: rsadecrypt - Functions - Configuration Language
description: The rsadecrypt function decrypts an RSA-encrypted message.
---

# `rsadecrypt` Function

<Note title="Deprecated">
This function is deprecated and may be removed in the future.
</Note>

<Warning>
While it is possible to use safely, it encourages use of cryptographic
primitives with <a href="https://en.wikipedia.org/wiki/PKCS_1#Attacks">known
weaknesses</a>. <a href="/nomad/docs/concepts/variables">Nomad Variables</a>
and <a href="/nomad/docs/secure/vault">HashiCorp Vault</a> are
the recommended ways to provide secrets to workloads.
</Warning>

`rsadecrypt` decrypts an RSA-encrypted ciphertext, returning the corresponding
cleartext.

```hcl
rsadecrypt(ciphertext, privatekey)
```

`ciphertext` must be a base64-encoded representation of the ciphertext, using
the PKCS #1 v1.5 padding scheme. Nomad uses the "standard" Base64 alphabet
as defined in [RFC 4648 section 4](https://tools.ietf.org/html/rfc4648#section-4).

`privatekey` must be a PEM-encoded RSA private key that is not itself
encrypted.

Nomad has no corresponding function for _encrypting_ a message. Use this
function to decrypt ciphertexts returned by remote services using a keypair
negotiated out-of-band.

## Examples

```shell-session
> rsadecrypt(base64(file("${path.folder}/ciphertext")), file("privatekey.pem"))
Hello, world!
```
